OSV-MAL-2026-5540

Malicious code in @monitoring-lib/error-tracking (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (491603ad44ed812c3d248696b00f7d4801a4c1dc23e4f23a3bb86f2ef499616d) On `npm install`, the `preinstall` lifecycle hook in package.json runs a Node one-liner that reads the installer's hostname (`os.hostname()`) and username (`os.userInfo().username`) and transmits them to an attacker-controlled Interactsh/OAST callback domain via two channels: an HTTPS GET request to `https://d8ks495t5p5ut2enft8041g7fusnfsy5e.oast.site/?h=<hostname>&u=<username>` and a DNS lookup of `monitoring-lib.<hostname>.d8ks495t5p5ut2enft8041g7fusnfsy5e.oast.site`. The package name uses a generic scope (`@monitoring-lib`) that does not correspond to a known publisher, and the version number `9999.0.0` is the canonical shape of a dependency-confusion attack — a public registry upload designed to override an organization's internal package of the same name. Combined, the package is a supply-chain recon beacon: any installer that resolves to this version leaks its host identity to the attacker, identifying victims whose private-registry configurations failed. ## Source: ossf-package-analysis (160b44403dfdcc6f9b6a3390ac9d1a2a55ed88c8a3cfd660850d573a89682453) The OpenSSF Package Analysis project identified '@monitoring-lib/error-tracking' @ 9999.0.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.